Lucene search
+L

6 matches found

Github Security Blog
Github Security Blog
added yesterday5 views

Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)

Header | Field | Value | |---|---| | Title | Extension-denylist bypass via case-folding asymmetry in name-override path incomplete-fix variant of CVE-2026-27641 | | Project | Flask-Reuploaded flaskuploads | | Affected | extension"shell.php" = "php" - extensionallowed"php" - DENY correct...

9.8CVSS5.8AI score0.01046EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/06/22 6:16 p.m.14 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS0.00177EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/19 4:18 p.m.36 views

Envoy AI Proxy - MCP Message Smuggling Vulnerability

Envoy AI Gateway was found to be affected by a protocol parser differential vulnerability due to improper implementation of the JSON-RPC 2.0 specification. Such differential causes a MCP message alteration, potentially causing a bypass of security controls in a multi-layered architecture. Accordi...

5.9AI score
Exploits0References2Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2022-15449

Malicious code in bioql PyPI...

8.8CVSS8.6AI score0.0088EPSS
Exploits0References1
Microsoft CVE
Microsoft CVE
added 2024/09/11 7:0 a.m.9 views

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name as demonstrated by 'constructor': {'name':'Symbol'}. Hence a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

...

7.5CVSS7.7AI score0.02342EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2022/01/24 2:2 p.m.8 views

CVE-2022-0270

Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes impersonation headers allowing a user to override assigned user name and groups...

8.8CVSS7.6AI score0.0088EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder